Keeper Connection Manager Security Advisories
Keeper has partnered with Bugcrowd to manage our vulnerability disclosure program. Please submit reports through https://bugcrowd.com/keepersecurity or send an email to security@keepersecurity.com.
Medium (4.4)
1.16, 2.6
Keeper Connection Manager evaluates the factual details of each known vulnerability affecting Keeper Connection Manager and assigns severity ratings using the CVSS v3.1 scoring system, a standard owned by FIRST.Org, Inc. which FIRST has made freely available for public use. This scoring system produces a numeric rating between 0.0 and 10.0, which we then classify according to the "Qualitative Severity Rating Scale" published with the CVSS standard. The specific analysis that went into each assigned score can also be found within the document specific to the vulnerability, linked within the main table above.
None
0.0
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 10.0
Severity:
Low
CVSS v3.1 base score:
1.8
CVSS v3.1 vector:
Glyptodon Enterprise 1.12 and older
Glyptodon Enterprise 2.0
Apache Guacamole 1.1.0 and older do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection.
Sufficient privileges to compromise an RDP server, replacing its standard RDP service with a malicious service.
A Guacamole user account that has been granted access to that RDP server by the Guacamole administrator.
Non-directable access to information otherwise only available to the Guacamole administrator (information within the memory of guacd).
Both Glyptodon Enterprise 1.x and 2.x have been patched with respect to this vulnerability. Users should evaluate their exposure/risk based on this advisory and plan to upgrade when possible.
Attack Vector
Local
Exploiting this vulnerability relies on two factors: (1) a compromised or malicious RDP server and (2) a deployment of Apache Guacamole which has been configured by an administrator to connect to that RDP server. Exploiting this vulnerability thus requires a local user account on the RDP server in question.
Attack Complexity
High
Exploiting this vulnerability requires the attacker to first compromise an RDP server to which Apache Guacamole has been configured to connect by an administrator.
Privileges Required
High
Exploiting this vulnerability relies on two factors: (1) a compromised or malicious RDP server and (2) a deployment of Apache Guacamole which has been configured by an administrator to connect to that RDP server. Exploiting this vulnerability thus requires a local user account on the RDP server in question with sufficient privileges to replace the standard RDP service with a malicious or compromised service.
User Interaction
None
An attacker would require no additional user interaction beyond their own.
Scope
Unchanged
The information disclosed via a successful attack is limited to the information already accessible to the guacd process.
Confidentiality Impact
Low
The information disclosed via a successful attack is limited to the information within the memory of the guacd process and cannot be specifically targeted. The attacker does not have control over what information is obtained.
Integrity
None
No modification of data is possible through exploiting this vulnerability.
Availability
None
Each new connection runs within its own, dedicated child process of guacd. It is possible for an attempt to exploit this vulnerability to cause a crash of that child process (to cause the connection to the compromised/malicious RDP server to disconnect), however the impact is limited to the individual connection being serviced by that process.
Exploitability
Functional exploit exists
One of the original reporters of the vulnerability has published examples describing how a vulnerable deployment can be exploited.
Remediation Level
Official fix available
The upstream Apache Guacamole project has released a fix via their 1.2.0 release, and this fix has been backported to all affected versions of Glyptodon Enterprise.
Report Confidence
Confirmed
Existence of the vulnerability in Apache Guacamole 1.1.0 and older has been acknowledged by the upstream Apache Guacamole project.
Severity:
Medium
CVSS v3.1 base score:
5.9
CVSS v3.1 vector:
Glyptodon Enterprise 1.12 and older
Glyptodon Enterprise 2.0
Apache Guacamole 1.1.0 and older may mishandle pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series of specially-crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process.
Sufficient privileges to compromise an RDP server, replacing its standard RDP service with a malicious service.
A Guacamole user account that has been granted access to that RDP server by the Guacamole administrator.
Resource access equivalent to that of the Guacamole administrator (the ability to control guacd).
Both Glyptodon Enterprise 1.x and 2.x have been patched with respect to this vulnerability. Users should evaluate their exposure/risk based on this advisory and plan to upgrade when possible.
Attack Vector
Local
Exploiting this vulnerability relies on two factors: (1) a compromised or malicious RDP server and (2) a deployment of Apache Guacamole which has been configured by an administrator to connect to that RDP server. Exploiting this vulnerability thus requires a local user account on the RDP server in question.
Attack Complexity
High
Exploiting this vulnerability requires the attacker to first compromise an RDP server to which Apache Guacamole has been configured to connect by an administrator.
Privileges Required
High
Exploiting this vulnerability relies on two factors: (1) a compromised or malicious RDP server and (2) a deployment of Apache Guacamole which has been configured by an administrator to connect to that RDP server. Exploiting this vulnerability thus requires a local user account on the RDP server in question with sufficient privileges to replace the standard RDP service with a malicious or compromised service.
User Interaction
None
An attacker would require no additional user interaction beyond their own.
Scope
Unchanged
The scope of any attack remains bounded by the privileges granted to the guacd process.
Confidentiality Impact
High
Arbitrary code executed through this vulnerability runs with the privileges of the guacd process. The executed code would be able to specifically access any information available to the guacd process, whether in memory or on disk.
Integrity
High
Arbitrary code executed through this vulnerability runs with the privileges of the guacd process. The executed code would be able to specifically access or modify any data that the guacd process itself can modify.
Availability
High
Arbitrary code executed through this vulnerability runs with the privileges of the guacd process, and thus would be able to affect the availability of other connections or the guacd process itself.
Exploitability
Functional exploit exists
The original reporter of the vulnerability has published examples describing how a vulnerable deployment can be exploited.
Remediation Level
Official fix available
The upstream Apache Guacamole project has released a fix via their 1.2.0 release, and this fix has been backported to all affected versions of Glyptodon Enterprise.
Report Confidence
Confirmed
Existence of the vulnerability in Apache Guacamole 1.1.0 and older has been acknowledged by the upstream Apache Guacamole project.
Severity:
Medium
CVSS v3.1 base score:
4.1
CVSS v3.1 vector:
Glyptodon Enterprise 1.13 and older
Glyptodon Enterprise 2.1 and older
Apache Guacamole 1.2.0 and older do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that connection was accessed, even if those users do not otherwise have permission to see other users.
Multiple users that share access to the same connections.
A user with access to a connection is able to see whether other users have accessed that connection, as well as the IP addresses used to access the connection.
Both Glyptodon Enterprise 1.x and 2.x have been patched with respect to this vulnerability. Users should evaluate their exposure/risk based on this advisory and plan to upgrade when possible.
Attack Vector
Network
Exploiting this vulnerability relies only on communicating with the web application through standard mechanisms, as already exposed by Guacamole's web interface.
Attack Complexity
Low
Exploiting this vulnerability requires limited technical ability, as the information in question is retrieved through standard mechanisms already exposed by Guacamole's web interface.
Privileges Required
Low
Obtaining the information in question requires a user account with access to one or more connections. Information on connection usage can be retrieved only for connections accessible by the user.
User Interaction
None
An attacker would require no additional user interaction beyond their own.
Scope
Unchanged
The scope of information obtained does not extend beyond what Guacamole is explicitly designed to provide.
Confidentiality Impact
Low
Retrievable information is limited to the usernames of users that have accessed connections that the current user may also access, as well as the IP addresses used for those past accesses.
Integrity
None
Data integrity is in no way affected. The relevant information may be read, not modified.
Availability
None
The availability of Guacamole and all related services are unaffected.
Exploitability
High
Exploiting this vulnerability requires limited technical ability, as the information in question is retrieved through standard mechanisms already exposed by Guacamole's web interface.
Remediation Level
Official fix available
The upstream Apache Guacamole project has released a fix via their 1.3.0 release, and this fix has been backported to all affected versions of Glyptodon Enterprise.
Report Confidence
Confirmed
Existence of the vulnerability in Apache Guacamole 1.2.0 and older has been acknowledged by the upstream Apache Guacamole project.
Severity:
Medium
CVSS v3.1 base score:
4.4
CVSS v3.1 vector:
Glyptodon Enterprise 1.15 and older
Glyptodon Enterprise 2.5 and older
Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel identifier in the non-private details of some REST responses. This may allow an authenticated user who already has permission to access a particular connection to read from or interact with another user's active use of that same connection.
Multiple users that share access to the same connections, which are (1) already in use and (2) originally established using the HTTP tunnel instead of WebSocket.
A user with access to a connection that is already in use by another user via the HTTP tunnel is able to read instantaneous blocks of transmitted connection data, as well as transmit data over that connection.
Both Glyptodon Enterprise 1.x and 2.x have been patched with respect to this vulnerability. Users should evaluate their exposure/risk based on this advisory and plan to upgrade when possible.
Attack Vector
Network
Exploiting this vulnerability relies only on communicating with the web application through standard mechanisms, as already exposed by Guacamole's web interface.
Attack Complexity
Low
Exploiting this vulnerability requires limited technical ability, as the information in question is retrieved through standard mechanisms already exposed by Guacamole's web interface.
Privileges Required
Low
Obtaining the information in question requires a user account with access to one or more connections. Information on active connection usage can be retrieved only for connections accessible by the user.
User Interaction
Required
Another user must establish a connection before an attacker may attempt to exploit the issue.
Scope
Unchanged
The scope of information obtained does not extend beyond what Guacamole is explicitly designed to provide.
Confidentiality Impact
Low
Retrievable information is limited to instantaneous data transmitted over an active connection that the current user may also access.
Integrity
Low
Writable/modifiable information is limited to interactive data transmitted over an active connection that the current user may also access.
Availability
None
The availability of Guacamole and all related services are unaffected.
Remediation Level
Official fix available
The upstream Apache Guacamole project has released a fix via their 1.4.0 release, and this fix has been backported to all affected versions of Glyptodon Enterprise.
Report Confidence
Confirmed
Existence of the vulnerability in Apache Guacamole 1.3.0 and older has been acknowledged by the upstream Apache Guacamole project.
Severity:
High
CVSS v3.1 base score:
8.7
CVSS v3.1 vector:
Glyptodon Enterprise 2.6 and older
Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received from a SAML identity provider. If SAML support is enabled, this may allow a malicious user to assume the identity of another Guacamole user.
SAML support for Apache Guacamole is enabled.
A malicious user may assume the identity of another existing Guacamole user.
Glyptodon Enterprise 2.x has been patched with respect to this vulnerability. Users should evaluate their exposure/risk based on this advisory and plan to upgrade when possible.
Glyptodon Enterprise 1.x does not have support for SAML available and is not affected.
Attack Vector
Network
Exploiting this vulnerability relies only on communicating with the web application through standard mechanisms, as already exposed by Guacamole's web interface.
Attack Complexity
Low
Exploiting this vulnerability requires limited technical ability.
Privileges Required
None
No privileges are required to attempt to exploit this vulnerability.
User Interaction
None
An attacker would require no additional user interaction beyond their own.
Scope
Unchanged
The scope of information obtained does not extend beyond what Guacamole is explicitly designed to provide.
Confidentiality Impact
High
Any information accessible to the user impersonated by the attacker would be accessible.
Integrity
High
Any information writable/modifiable to the user impersonated by the attacker would be accessible.
Availability
None
The availability of Guacamole and all related services are unaffected.
Remediation Level
Official fix available
The upstream Apache Guacamole project has released a fix via their 1.4.0 release, and this fix has been backported to all affected versions of Glyptodon Enterprise.
Report Confidence
Confirmed
Existence of the vulnerability in Apache Guacamole 1.2.0 and 1.3.0 has been acknowledged by the upstream Apache Guacamole project.